OpenBao Rust SDK
openbao is a secure, typed, async Rust SDK for
OpenBao, the community-driven open source fork of
Vault. It is designed for audited secret workflows: HTTPS by default, no
redirect forwarding, strict path validation, secret-aware token types, and a
small reviewed dependency surface.
The crate name on crates.io is openbao; Rust imports are lowercase:
use Client;
This README documents the 0.9.0 development line. 0.9.0 builds on the
released 0.8.0 API with stabilization work for migration guidance, public API
audit evidence, retry and pagination ergonomics, bootstrap convergence, fixture
and fuzz hardening, and near-1.0 decisions.
The crate is dual-licensed under MIT or Apache-2.0.
Current Status
Implemented now:
- Async client with typestate authentication.
- Direct token authentication with re-exported
openbao::SecretString. - AppRole login plus role and SecretID administration, with role IDs, SecretIDs, accessors, and returned tokens treated as secret material.
- Kubernetes auth login plus config and role administration helpers.
- TLS certificate auth login, method config, CA role, and CRL administration helpers.
- JWT login plus JWT/OIDC auth method config, role administration, browser authorization URL, callback, and direct/device polling helpers.
- LDAP auth login plus config and user/group policy mapping helpers.
- RADIUS login plus config and user policy mapping helpers.
- Kerberos login plus service-account, LDAP config, and group policy mapping helpers.
- Userpass login plus user create/read/list/delete, password update, and policy update helpers.
- Token create, role create/read/list/delete, lookup, accessor lookup/list, renew, revoke, revoke-orphan, revoke-self, and tidy helpers.
- KV v2 read, write, CAS write, patch, list, latest delete, version read, version delete, undelete, destroy, metadata, backend config, typed data, and secret-aware service config read/write helpers.
- KV v1 read, write, delete, and list helpers.
- Cubbyhole read, optional read, write, delete, and list helpers for token-scoped handoff data.
- Kubernetes secrets engine config, role create/read/list/delete, and service account credential generation helpers.
- RabbitMQ secrets engine connection config, lease config, role create/read/list/delete, and dynamic credential helpers.
- Database connection config, dynamic roles, static roles, root/static rotation, and credential helpers.
- Identity entity, group, entity-alias, and group-alias lifecycle, lookup, and entity merge helpers.
- LDAP secrets engine config, static role, dynamic role, credential, library checkout, and check-in helpers.
- SSH role, zero-address role, IP lookup, OTP credential, issuer config, issuer list/submit/read/update/delete, CA public-key metadata, CA sign, generated certificate/key issue, and OTP verification helpers.
- TOTP key create/read/list/delete, code generation, and code validation helpers.
- PKI URL and CRL config, root/intermediate generation, intermediate signing and install, role write/read/list/delete/patch, issue, sign, revoke, certificate list/read, issuer/key list/read/delete/update, issuer revoke, CA/key import, ACME config/EAB/directory URL, CRL rotate, tidy, tidy status, and tidy cancel helpers.
- Transit key create, read, list, delete, config update, rotate, export, backup, restore, trim, encrypt/decrypt/rewrap batch helpers, data key, random, hash, HMAC, sign/verify batch helpers, typed RSA/JWS signing options, and optional raw-byte helpers.
- System health, readiness polling, seal status, leader status, OpenAPI discovery, JSON metrics, runtime logger level, version history, namespace management, rate-limit quota management, and loopback-only dev bootstrap helpers.
- Secret and auth mount enable, list, read, tune, and disable helpers.
- Response wrapping lookup, wrap, unwrap, and rewrap helpers.
- ACL policy list, read, write, delete, and prefix list helpers.
- Bounded ACL policy builder helpers for common KV v2 and Transit least-privilege rules.
- Idempotent admin bootstrap plan builder for KV v2 mounts, Transit mounts, Transit keys, ACL policies, KV v2 string secret values, auth methods, AppRole roles, explicit scoped service-token issuance, and explicit AppRole SecretID issuance.
- Capability checks for the caller token, an explicit token, or a token accessor.
- Audit device list, enable, disable, and hash helpers.
- Safe exact lease lookup, renew, revoke, prefix revoke, force prefix revoke, and lease count helpers.
- Plugin catalog list, type-list, register, read, delete, and backend reload helpers.
- Explicitly gated production init, unseal, seal, rekey, key-share rotation, and keyring rotation operator APIs.
- Environment-based client construction from common OpenBao/Vault variables.
- Shared authenticated client and Rust
Durationto OpenBao duration string helpers for async application ergonomics. - Bootstrap read-only preview, report lookup helpers for issued credentials, and changed steps.
- Best-effort FIPS-oriented posture reporting for crate-visible Transit and deployment assumptions; this is advisory and not a certification claim.
- Shared
ListEntriesergonomics for common list responses without changing their documented fields. - Optional RFC3339 timestamp parsing helpers behind the
timefeature. - Raw JSON request escape hatch for endpoints that are not typed yet.
- Operator-gated raw storage read, write, list, and delete helpers.
- Operator-gated pprof diagnostic byte helpers.
- Typed custom plugin wrapper pattern documentation and safe building blocks for application-specific OpenBao plugin APIs.
- Local TLS OpenBao Podman stack on
9940and9941. - Real OpenBao integration test gate using the pinned OpenBao image.
Delivered in 0.9.0:
- Public API audit, migration guides, fuzz/fixture hardening,
quantum-readiness design notes, explicit retry/backoff, shared non-secret
pagination, PKI/Identity bootstrap convergence, and explicit pre-
1.0decisions for background renewal/tracking, seal readiness polling, typed response wrapping, selective bootstrap convergence, and ACL policy-builder wrapping TTLs. Tracing and HTTP/2 are resolved as non-default features without runtime transport hooks.
Planned next:
0.10.0through0.15.0: close the endpoint matrix deliberately: Identity and auth, Transit advanced key management, PKI advanced/public/specialized flows, remaining system backend rows, then final endpoint closure and stable ergonomics. Request-level back-pressure, full OpenTelemetry SDK integration, certificate pinning, KV v1 bootstrap convergence, and ACL parameter-constraint HCL generation are rejected for stable scope.1.0.0: stable API freeze after the endpoint matrix has zeroplannedordecisionrows; after1.0.0, only1.0.xmaintenance and security fixes are planned.
See API Coverage and
Release Plan for the road to 1.0.0.
Trust Dashboard
| Area | Status |
|---|---|
| License | MIT OR Apache-2.0 |
| Rust edition | 2024 |
| MSRV | Rust 1.90.0 |
| Async runtime | Runtime-agnostic client; examples use Tokio |
| HTTP transport | reqwest with redirects disabled |
| Default TLS backend | Rustls |
| TLS floor | TLS 1.3 by default; TLS 1.2 requires explicit opt-in |
| Plain HTTP | Rejected by default; sensitive requests still require HTTPS |
| Token storage | openbao::SecretString (secrecy::SecretString) |
| Unsafe policy | unsafe_code = "forbid" |
| Path validation | Rejects traversal, query/fragment injection, empty segments, controls, and trailing periods |
| Error posture | API error strings are bounded and sanitized before formatting |
| Dependency policy | cargo deny plus RustSec audit in the release gate |
| Release evidence | fmt, clippy, tests, docs, deny, audit, SBOM, and real OpenBao integration |
| Pentest gate | Required before tagging a release |
Security details live in SECURITY.md. Release evidence and release sequencing live in release-notes and docs/RELEASE_PLAN.md.
Rust Version Support
The minimum supported Rust version is Rust 1.90.0. New deployments should
prefer the latest stable Rust; as of June 1, 2026, that is Rust 1.96.0.
The 0.9.0 development line tracks compatibility evidence across this supported
range:
| Rust | Required Evidence |
|---|---|
1.90.0 |
Full test suite and clippy. |
1.91.0 |
cargo check --all-features. |
1.92.0 |
cargo check --all-features. |
1.93.0 |
cargo check --all-features. |
1.94.0 |
cargo check --all-features. |
1.95.0 |
cargo check --all-features. |
1.96.0 |
cargo check --all-features. |
Install
[]
= "0.9"
= { = "1.0.228", = ["derive"] }
= { = "1.52.3", = ["macros", "rt-multi-thread", "time"] }
Some advanced examples below use JSON helper types directly:
[]
= "1.0.150"
The crate defaults to the common SDK surface:
[]
= { = "0.9", = ["approle", "cert-auth", "cubbyhole", "database", "jwt-auth", "kubernetes-auth", "ldap-auth", "radius-auth", "kubernetes", "userpass", "token", "kv1", "kv2", "pki", "ssh", "totp", "transit", "sys", "rustls-tls"] }
For a smaller build, disable defaults and opt into only what the application uses:
[]
= { = "0.9", = false, = ["kv2", "sys", "rustls-tls"] }
Optional RFC3339 timestamp parsing is available behind the lightweight time
feature:
[]
= { = "0.9", = ["time"] }
Features
| Feature | Default | Purpose |
|---|---|---|
approle |
yes | AppRole login, role, delegated role-property, RoleID, and SecretID helpers. |
cert-auth |
yes | TLS certificate auth login/config/role/CRL helpers. |
cubbyhole |
yes | Token-scoped Cubbyhole read/write/delete/list helpers. |
database |
yes | Database secrets engine config, role, credential, and rotation helpers. |
identity |
yes | Identity entity, group, entity-alias, and group-alias helpers. |
jwt-auth |
yes | JWT login plus JWT/OIDC config, role administration, auth URL, callback, and poll helpers. |
kerberos-auth |
yes | Kerberos SPNEGO login, service-account config, LDAP config, and group mapping helpers. |
kubernetes-auth |
yes | Kubernetes auth login/config/role helpers. |
ldap-auth |
yes | LDAP auth login/config/user/group mapping helpers. |
radius-auth |
yes | RADIUS login/config/user mapping helpers. |
kubernetes |
yes | Kubernetes secrets engine config, role, and generated service account token helpers. |
ldap |
yes | LDAP secrets engine config, static/dynamic role, credential, and library helpers. |
rabbitmq |
yes | RabbitMQ secrets engine connection, lease, role, and credential helpers. |
userpass |
yes | Userpass login and user administration helpers. |
token |
yes | Token lifecycle, create-orphan, accessor renewal/revocation, token role, tidy, and revoke-orphan helpers. |
kv1 |
yes | KV v1 secrets engine helpers. |
kv2 |
yes | KV v2 secrets engine helpers. |
pki |
yes | PKI authority, issuer/key metadata/import, role, role patch, issue/sign, revoke, cert read/list, ACME config/EAB/directory URL, CRL config/rotate, tidy, tidy status, and tidy cancel helpers. |
ssh |
yes | SSH roles, OTP credentials, issuer management, CA sign/issue, issuer config, and OTP verification helpers. |
totp |
yes | TOTP key and code helpers. |
transit |
yes | Transit key lifecycle, batch cryptography, and single-operation cryptography helpers. |
transit-bytes |
no | Raw-byte Transit convenience helpers using base64-ng for OpenBao's base64 request/response fields. |
sys |
yes | System backend, readiness, leases, quotas, storage, diagnostics, and operator-gated helpers. |
http2 |
no | Enables reqwest HTTP/2 support. ALPN negotiates HTTP/2 when OpenBao supports it and otherwise falls back to HTTP/1.1. |
time |
no | Optional RFC3339 timestamp parsing helpers using the time crate. |
tracing |
no | Optional request/response instrumentation with method, validated path, and status only. No OpenTelemetry SDK dependency. |
allow-sha1 |
no | Explicit opt-in for legacy Transit SHA-1 selection. Disabled by default. |
rustls-tls |
yes | Rustls transport configuration. |
native-tls |
no | Legacy native TLS support. Requires native-tls-acknowledged after audit. |
native-tls-acknowledged |
no | Explicit acknowledgment for audited native TLS builds. |
operator-ops |
no | Production init, unseal, seal, rekey, key-share rotate, keyring rotate, raw storage, and destructive PKI root deletion APIs. Requires operator-ops-acknowledged. |
operator-ops-acknowledged |
no | Explicit acknowledgment for audited operator-operation builds. |
Support Matrix
The detailed OpenBao 2.5.x endpoint-by-endpoint coverage matrix is tracked
in docs/OPENBAO_2_5_ENDPOINT_MATRIX.md.
For the current 0.9.0 line it records 643 documented endpoint rows, with
469/643 (72.9%) strict typed or operator-gated coverage.
Client, Transport, And TLS
| Capability | Status | Notes |
|---|---|---|
| Async client | Yes | Built on reqwest with a small public API surface. |
| Typestate auth | Yes | Separate unauthenticated and authenticated client states. |
| HTTPS by default | Yes | Plain HTTP is rejected unless loopback HTTP is explicitly enabled. |
| Redirect protection | Yes | Redirect following is disabled to avoid forwarding token headers. |
| Response size cap | Yes | 32 MiB default with per-client lowering for small-response workflows. |
| Timestamp parsing | Optional | Enable time for RFC3339 parsing helpers without changing response field types. |
| TLS floor | Yes | TLS 1.3 minimum by default; audited legacy deployments can opt down to TLS 1.2. |
| HTTP protocol | HTTP/1.1 by default | Enable non-default http2 for TLS ALPN HTTP/2 negotiation. No runtime HTTP/2 knob is exposed. |
| Custom CA roots | Yes | Extra root certificates can be merged with the platform trust store. |
| Root-only trust stores | Yes | System roots can be bypassed by using only configured root certificates. This is the supported alternative to leaf certificate or SPKI pinning. |
| Client TLS identity | Yes | Optional mutual TLS client identity for TLS certificate auth. |
| Connection timeout | Yes | 5-second connection timeout by default; caller overrides are bounded. |
| User agent fingerprinting | Yes | Default user agent omits the exact crate version. |
| Namespace header | Yes | X-Vault-Namespace support for namespace-aware deployments. |
| Environment construction | Yes | Reads OPENBAO_*, BAO_*, and VAULT_* aliases with secure defaults. |
| Raw JSON requests | Yes | Escape hatch for endpoints that are not typed yet. |
Authentication
| Capability | Status | Notes |
|---|---|---|
| Direct token auth | Yes | Tokens are accepted as SecretString. |
X-Vault-Token |
Yes | Default documented OpenBao-compatible token header. |
| Bearer auth | Yes | Optional Authorization: Bearer header mode. |
| AppRole login/admin | Yes | Role ID, SecretID, accessors, and returned tokens are secret-aware; role, delegated role-property, and SecretID lifecycle helpers are typed. |
| Token accessor handling | Yes | Accessors are treated as secret material. |
| Token lifecycle helpers | Yes | Lookup, accessor lookup/list, create/create-orphan, renew/renew-accessor, revoke, revoke-self, and revoke-accessor helpers. |
| Kubernetes auth | Yes | Login, auth method config, and role administration helpers. |
| TLS certificate auth | Yes | Login, auth method config, CA role administration, and CRL helpers. |
| JWT/OIDC | Yes | JWT login plus JWT/OIDC auth method config, role administration, browser auth URL, callback, and direct/device poll helpers. |
| LDAP auth | Yes | Login, method config, user/group create/read/list/delete policy mapping helpers. |
| RADIUS auth | Yes | Login, method config, user create/read/list/delete, paginated user list helpers, and a documented warning for RADIUS UDP/MD5 protocol risk. |
| Kerberos auth | Yes | SPNEGO login, service-account/keytab config, Kerberos LDAP config, and group create/read/list/delete mapping helpers. |
| Userpass auth | Yes | Login and user create/read/list/delete, password update, and policy update helpers. |
Secret Engines
| Capability | Status | Notes |
|---|---|---|
| KV v2 read/write | Yes | Typed serialization and deserialization. |
| KV v2 CAS write | Yes | Optional check-and-set version support. |
| KV v2 patch | Yes | JSON merge patch content type. |
| KV v2 list/delete versions | Yes | Metadata list, latest delete, soft delete, undelete, and destroy. |
| KV v2 metadata/config | Yes | Backend, per-key metadata, typed data, and secret-aware service config helpers. |
| KV v1 | Yes | Read, write, delete, and list helpers. |
| Cubbyhole | Yes | Token-scoped read, optional read, write, delete, and list helpers. |
| Kubernetes secrets | Yes | Config, role create/read/list/delete, and generated service account token helpers. |
| RabbitMQ secrets | Yes | Connection config, lease config, role create/read/list/delete, and generated credential helpers. |
| Identity | Yes | Entity, group, entity-alias, and group-alias lifecycle helpers, entity/group lookup, and entity merge. Identity OIDC admin/discovery/token/introspection and MFA management are planned for 0.10.0; named-provider OIDC browser protocol flows stay external. |
| LDAP secrets | Yes | Config, root rotation, static roles/credentials, dynamic roles/credentials, and library check-out/check-in helpers. |
| Database credentials | Yes | Connection config/list/read/delete, dynamic roles/credentials, static roles/credentials, and root/static rotation helpers. |
| Transit | Yes | Key create/read/list/delete/config update/rotate/export/backup/restore/trim, encrypt/decrypt/rewrap batch helpers, data key, random, hash, HMAC, sign/verify batch helpers, typed RSA/JWS signing options, and optional raw-byte helpers. Import/BYOK endpoint wrappers are planned for 0.11.0 with pre-wrapped SecretString ciphertext only; no raw key bytes enter those wrappers. Soft-delete/restore, cache/global config, CSR, certificate-install, and optional transit-import wrapping-helper work are planned before 1.0.0. |
| PKI | Partial | Authority generation/signing/install, URL/CRL config, roles, role patch, issue, sign, revoke, certificate list/read, issuer/key list/read/delete/update, issuer revoke, operator-gated default root deletion with explicit confirmation, CA/key import, ACME config/EAB/directory URL, CRL rotate, tidy, tidy status, and tidy cancel are implemented. Tier 1 multi-issuer/config/root rotation/sign-verbatim/revoke-with-key and struct field completion are planned for 0.12.0; Tier 2 revocation/CEL/cross-sign/delta-CRL work is planned for 0.13.0; unauthenticated public CA/CRL/cert and OCSP protocol reads stay external. |
| TOTP | Yes | Key create/read/list/delete, code generation, and code validation helpers. |
| SSH | Partial | Roles, zero-address roles, IP role lookup, OTP credentials, issuer config/list/submit/read/update/delete, authenticated CA public-key metadata, CA sign/issue, and OTP verification are implemented. Raw unauthenticated public-key reads are intentionally not typed. |
| Custom plugin patterns | Yes | Documented wrapper pattern for typed plugin-specific APIs over Client::request_json. |
System Backend And Operations
| Capability | Status | Notes |
|---|---|---|
| Health | Yes | Accepts OpenBao active, standby, sealed, and uninitialized health statuses. |
| Init status | Yes | Typed /sys/init status helper. |
| Seal status | Yes | Typed /sys/seal-status helper. |
| Leader status | Yes | Typed /sys/leader helper. |
| HA status | Yes | Typed /sys/ha-status helper with bounded node lists. |
| Key status | Yes | Typed /sys/key-status helper. |
| OpenAPI discovery | Yes | Typed JSON helper for /sys/internal/specs/openapi. |
| Internal UI helpers | Yes | Internal UI namespace and mount discovery helpers with bounded maps; OpenBao does not guarantee endpoint stability. |
| Metrics | Yes | Typed JSON helper for /sys/metrics?format=json and capped Prometheus text helper. |
| Host diagnostics | Yes | JSON helper for /sys/host-info platform diagnostics. |
| Pprof diagnostics | Gated | Capped zeroizing byte helpers for /sys/pprof/:profile, available only with operator-ops plus operator-ops-acknowledged. |
| Sanitized config state | Yes | JSON helper for /sys/config/state/sanitized. |
| Audited request headers | Yes | List, read, write, and delete /sys/config/auditing/request-headers helpers. |
| CORS config | Yes | Read, write, and delete /sys/config/cors helpers with bounded lists, header validation, and wildcard-origin rejection. |
| Runtime loggers | Yes | Read, set, and reset transient /sys/loggers verbosity levels. |
| Version history | Yes | Typed LIST helper for installed OpenBao version history. |
| Namespaces | Yes | List, create, read, patch, and delete namespace helpers with local name validation. |
| Rate-limit quotas | Yes | Global quota config plus named rate-limit quota list/create/read/delete helpers. |
| Locked users | Yes | List all locked users, filter by mount accessor, and unlock aliases. |
| Raft storage | Yes | Integrated Storage Raft join/configuration/peer/bootstrap, capped snapshot download/restore, and Autopilot JSON helpers; join helpers require HTTPS leader addresses. |
| Remount | Yes | Start mount migrations and poll migration status. |
| Step down | Gated | Active-node handoff helper for /sys/step-down, available only with operator-ops plus operator-ops-acknowledged. |
| System tools | Yes | Random byte generation and hash helpers with bounded random requests and secret-aware outputs. |
| Dev bootstrap | Yes | Fresh numeric-loopback dev instances only; not for production or HSM/KMS deployments. |
| Mount management | Yes | Secret and auth mount enable/list/read/tune/disable helpers. |
| Response wrapping | Yes | Lookup, wrap, unwrap, and rewrap helpers. |
| Policies and capabilities | Yes | ACL policy read/write/list/delete, bounded policy builder helpers, self/token/accessor capability checks, and typed capability views. |
| Admin bootstrap | Yes | Idempotent plan builder, read-only preview, mounts, Transit keys, ACL policies, KV v2 string values, auth methods, AppRole roles, explicit token issuance, and explicit AppRole SecretID issuance. |
| FIPS posture helper | Advisory | Best-effort report for crate-visible Transit choices and deployment assumptions. Does not certify OpenBao or the deployment. |
| List ergonomics | Yes | ListEntries exposes entries, iter, len, is_empty, and contains for common string list responses. |
| Audit devices | Yes | Enable, list, disable, and audit hash helpers. |
| Lease helpers | Yes | Safe exact lookup, renew, revoke, prefix revoke, force prefix revoke, count, tidy, and RenewalHint timing helpers for caller-owned renewal loops. |
| Plugin catalog | Yes | List, type-list, register, read, delete, and mounted backend reload helpers. |
| Production init, unseal, rekey, rotate, PKI root deletion | Gated | Available only with operator-ops plus operator-ops-acknowledged; default builds cannot call these APIs. PKI root deletion also requires PkiRootDeletion::confirm() at the call site. |
| Remaining system rows | Partial | Password policies, root/recovery token ceremonies, resultant ACL, and legacy recovery-key rekey are planned before 1.0.0; config-ui, monitor streaming, and internal router inspection are rejected for stable scope. |
Examples
Create a client from an existing token:
use ;
async
Create an authenticated client from environment variables:
use ;
async
Retry an idempotent raw request with explicit exponential backoff:
use Duration;
use ;
async
Retry is never global. Use it only when the call is read-only or otherwise idempotent for your application.
Configure a stricter client with a namespace and root-only trust store:
Use only_root_certificates when you want to trust only your internal OpenBao
CA and reject every platform or public CA root. This is intentionally preferred
over leaf certificate or public-key pinning because your CA can rotate server
certificates without requiring every client to update a pin. For a self-signed
OpenBao listener certificate, pass that certificate as the sole trusted root.
use ;
use Certificate;
use SecretString;
async
The environment equivalent is OPENBAO_CACERT=/path/to/ca.pem together with
OPENBAO_TLS_ROOTS_ONLY=true.
Authenticate with AppRole:
use ;
async
Authenticate with Userpass:
use ;
async
Authenticate with JWT:
use ;
async
Start an OIDC browser login and handle the callback without logging returned token material:
use ;
use ;
async
Write and read KV v2 data:
use ;
use SecretString;
use ;
async
Use KV v2 check-and-set, patch, and version operations:
use ;
use ;
use SecretString;
use Serialize;
async
Parse OpenBao timestamps when the time feature is enabled:
use ;
use Deserialize;
async
Load service configuration from KV v2:
use ;
use SecretString;
use Deserialize;
async
Share an authenticated client across async tasks:
use ;
Read dynamic database credentials:
use ;
async
Create and validate a TOTP code without logging the generated code:
use ;
use ;
async
Issue an SSH certificate and generated private key without logging the key:
use ;
use ;
async
Provision ACME external account binding and hand it to an ACME client:
use ;
async
Use a KV v1 mount:
use ;
use SecretString;
use ;
async
Encrypt and decrypt through Transit:
use ;
use ;
use ;
async
Encrypt and decrypt raw bytes with the optional transit-bytes feature:
use ;
use ;
async
Manage a Transit key and encrypt a small batch:
use ;
use ;
async
Sign data for JWS/JWT-style ECDSA workflows:
use ;
use ;
async
Create a constrained token role for repeatable service-token issuance:
use TokenRole;
use ;
async
Create, inspect, renew, and revoke child or orphan tokens:
use TokenCreateRequest;
use ;
use SecretString;
use BTreeMap;
async
Enable a KV v2 mount:
use ;
use SecretString;
async
Wait for OpenBao readiness with a runtime-provided sleep function:
use ;
use Duration;
async
Count leases and revoke an application lease prefix:
use ;
async
Wrap and unwrap JSON data:
use ;
use SecretString;
use ;
async
Write an ACL policy and check capabilities:
use ;
async
Run a small idempotent service bootstrap:
use TokenCreateRequest;
use AdminBootstrap;
use TransitCreateKeyRequest;
use ;
use BTreeMap;
async
Build an advisory FIPS-oriented posture report:
use FipsPosture;
use ;
The posture report only covers choices visible to the SDK. It does not certify OpenBao, your cryptographic provider, HSM/KMS setup, TLS stack, operating system, or deployment process.
Enable an audit device and calculate an audit hash:
use ;
use AuditEnableRequest;
use BTreeMap;
async
Look up and renew one exact lease:
use ;
async
Read and reload a plugin catalog entry:
use ;
use ;
use SecretString;
async
Discover OpenBao's OpenAPI document:
use ;
use SecretString;
async
The raw request layer is intentionally low level. Prefer typed helpers when the crate supports an endpoint; use raw JSON to bridge missing OpenBao APIs while coverage grows.
For application-specific OpenBao plugins, keep raw JSON calls behind a small
typed wrapper built with PluginMount, the public path validators, and bounded
list helpers such as BoundedStringList. See
Typed Custom Plugin Pattern for a complete
request/response wrapper example with path validation, secret redaction, and
test guidance. Generic plugin traits are intentionally out of scope because
plugin schemas are deployment-specific.
Local OpenBao Dev Instance
The local dev stack uses Podman, TLS, a private CA, and loopback-only ports in
the requested 994x range.
Prepare the rootless Podman volume and TLS assets without starting OpenBao:
This project does not require a /srv directory tree for local development:
raft data lives in a Podman-managed volume, and TLS material lives in the
ignored deploy/podman/dev-state/ directory.
Endpoints:
- API:
https://127.0.0.1:9940 - Cluster:
https://127.0.0.1:9941 - CA certificate:
deploy/podman/dev-state/tls/dev-ca.crt
Initialize and unseal OpenBao using bao operator init and
bao operator unseal, then export BAO_ADDR=https://127.0.0.1:9940 and
BAO_CACERT=deploy/podman/dev-state/tls/dev-ca.crt.
For disposable local development, the crate can initialize and unseal a fresh numeric-loopback instance directly:
use ;
use Certificate;
async
bootstrap_dev is not a production initialization ceremony. It creates root
and unseal material in process memory, uses Shamir keys, refuses non-loopback
targets, and refuses already initialized servers. Do not use it with HSM/KMS
auto-unseal, shared environments, or any instance that requires operator key
ceremony.
Run the real OpenBao integration flow:
The integration script creates a fresh TLS dev instance, initializes and
unseals it, stores the root token in a temporary 0600 file for the test
process, and removes that file when the run exits.
Release Discipline
Run the normal local checks:
Run the current release gate:
Set OPENBAO_SKIP_INTEGRATION=1 only when Podman is unavailable; release
candidate validation should run the integration gate.
No release tag should be cut unless the matching pentest report status is reviewed and recorded in the release notes.